Removes context "validation".
The Vault backend doesn't really care about context. Even an empty
string would suffice these checks.
Change-Id: I1c0d00675a479cf05d92cec7b69fd720a88023d3
Signed-off-by: Moisés Guimarães de Medeiros <moguimar@redhat.com>
Moisés Guimarães de Medeiros
3 years ago
| 204 | 204 | expiration=None, name=None): |
| 205 | 205 | """Creates an asymmetric key pair.""" |
| 206 | 206 | |
| 207 | # Confirm context is provided, if not raise forbidden | |
| 208 | if not context: | |
| 209 | msg = _("User is not authorized to use key manager.") | |
| 210 | raise exception.Forbidden(msg) | |
| 211 | ||
| 212 | 207 | if algorithm.lower() != 'rsa': |
| 213 | 208 | raise NotImplementedError( |
| 214 | 209 | "VaultKeyManager only implements rsa keys" |
| 280 | 275 | def create_key(self, context, algorithm, length, name=None, **kwargs): |
| 281 | 276 | """Creates a symmetric key.""" |
| 282 | 277 | |
| 283 | # Confirm context is provided, if not raise forbidden | |
| 284 | if not context: | |
| 285 | msg = _("User is not authorized to use key manager.") | |
| 286 | raise exception.Forbidden(msg) | |
| 287 | ||
| 288 | 278 | if length % 8: |
| 289 | 279 | msg = _("Length must be multiple of 8.") |
| 290 | 280 | raise ValueError(msg) |
| 302 | 292 | def store(self, context, key_value, **kwargs): |
| 303 | 293 | """Stores (i.e., registers) a key with the key manager.""" |
| 304 | 294 | |
| 305 | # Confirm context is provided, if not raise forbidden | |
| 306 | if not context: | |
| 307 | msg = _("User is not authorized to use key manager.") | |
| 308 | raise exception.Forbidden(msg) | |
| 309 | ||
| 310 | 295 | key_id = uuid.uuid4().hex |
| 311 | 296 | return self._store_key_value(key_id, key_value) |
| 312 | 297 | |
| 313 | 298 | def get(self, context, key_id, metadata_only=False): |
| 314 | 299 | """Retrieves the key identified by the specified id.""" |
| 315 | ||
| 316 | # Confirm context is provided, if not raise forbidden | |
| 317 | if not context: | |
| 318 | msg = _("User is not authorized to use key manager.") | |
| 319 | raise exception.Forbidden(msg) | |
| 320 | 300 | |
| 321 | 301 | if not key_id: |
| 322 | 302 | raise exception.KeyManagerError('key identifier not provided') |
| 358 | 338 | def delete(self, context, key_id): |
| 359 | 339 | """Represents deleting the key.""" |
| 360 | 340 | |
| 361 | # Confirm context is provided, if not raise forbidden | |
| 362 | if not context: | |
| 363 | msg = _("User is not authorized to use key manager.") | |
| 364 | raise exception.Forbidden(msg) | |
| 365 | ||
| 366 | 341 | if not key_id: |
| 367 | 342 | raise exception.KeyManagerError('key identifier not provided') |
| 368 | 343 | |
| 374 | 349 | |
| 375 | 350 | def list(self, context, object_type=None, metadata_only=False): |
| 376 | 351 | """Lists the managed objects given the criteria.""" |
| 377 | ||
| 378 | # Confirm context is provided, if not raise forbidden | |
| 379 | if not context: | |
| 380 | msg = _("User is not authorized to use key manager.") | |
| 381 | raise exception.Forbidden(msg) | |
| 382 | 352 | |
| 383 | 353 | if object_type and object_type not in self._secret_type_dict: |
| 384 | 354 | msg = _("Invalid secret type: %s") % object_type |
| 76 | 76 | def setUp(self): |
| 77 | 77 | super(KeyManagerTestCase, self).setUp() |
| 78 | 78 | self.key_mgr = self._create_key_manager() |
| 79 | self.ctxt = None | |
| 79 | 80 | |
| 80 | 81 | def _get_valid_object_uuid(self, managed_object): |
| 81 | 82 | object_uuid = self.key_mgr.store(self.ctxt, managed_object) |
| 14 | 14 | |
| 15 | 15 | Note: This requires local running instance of Vault. |
| 16 | 16 | """ |
| 17 | import abc | |
| 18 | 17 | import os |
| 19 | 18 | import uuid |
| 20 | 19 | |
| 21 | 20 | from oslo_config import cfg |
| 22 | from oslo_context import context | |
| 23 | 21 | from oslo_utils import uuidutils |
| 24 | 22 | from oslotest import base |
| 25 | 23 | import requests |
| 33 | 31 | CONF = config.get_config() |
| 34 | 32 | |
| 35 | 33 | |
| 36 | class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase): | |
| 34 | class VaultKeyManagerTestCase(test_key_manager.KeyManagerTestCase, | |
| 35 | base.BaseTestCase): | |
| 37 | 36 | def _create_key_manager(self): |
| 38 | 37 | key_mgr = vault_key_manager.VaultKeyManager(cfg.CONF) |
| 39 | 38 | |
| 45 | 44 | key_mgr._vault_url = os.environ['VAULT_TEST_URL'] |
| 46 | 45 | return key_mgr |
| 47 | 46 | |
| 48 | @abc.abstractmethod | |
| 49 | def get_context(self): | |
| 50 | """Retrieves Context for Authentication""" | |
| 51 | return | |
| 52 | ||
| 53 | def setUp(self): | |
| 54 | super(VaultKeyManagerTestCase, self).setUp() | |
| 55 | self.ctxt = self.get_context() | |
| 56 | ||
| 57 | def tearDown(self): | |
| 58 | super(VaultKeyManagerTestCase, self).tearDown() | |
| 59 | ||
| 60 | def test_create_null_context(self): | |
| 61 | self.assertRaises(exception.Forbidden, | |
| 62 | self.key_mgr.create_key, None, 'AES', 256) | |
| 63 | ||
| 64 | def test_create_key_pair_null_context(self): | |
| 65 | self.assertRaises(exception.Forbidden, | |
| 66 | self.key_mgr.create_key_pair, None, 'RSA', 2048) | |
| 67 | ||
| 68 | 47 | def test_create_key_pair_bad_algorithm(self): |
| 69 | 48 | self.assertRaises( |
| 70 | 49 | NotImplementedError, |
| 72 | 51 | self.ctxt, 'DSA', 2048 |
| 73 | 52 | ) |
| 74 | 53 | |
| 75 | def test_delete_null_context(self): | |
| 76 | key_uuid = self._get_valid_object_uuid( | |
| 77 | test_key_manager._get_test_symmetric_key()) | |
| 78 | self.addCleanup(self.key_mgr.delete, self.ctxt, key_uuid) | |
| 79 | self.assertRaises(exception.Forbidden, | |
| 80 | self.key_mgr.delete, None, key_uuid) | |
| 81 | ||
| 82 | 54 | def test_delete_null_object(self): |
| 83 | 55 | self.assertRaises(exception.KeyManagerError, |
| 84 | 56 | self.key_mgr.delete, self.ctxt, None) |
| 85 | ||
| 86 | def test_get_null_context(self): | |
| 87 | key_uuid = self._get_valid_object_uuid( | |
| 88 | test_key_manager._get_test_symmetric_key()) | |
| 89 | self.addCleanup(self.key_mgr.delete, self.ctxt, key_uuid) | |
| 90 | self.assertRaises(exception.Forbidden, | |
| 91 | self.key_mgr.get, None, key_uuid) | |
| 92 | 57 | |
| 93 | 58 | def test_get_null_object(self): |
| 94 | 59 | self.assertRaises(exception.KeyManagerError, |
| 98 | 63 | bad_key_uuid = uuidutils.generate_uuid() |
| 99 | 64 | self.assertRaises(exception.ManagedObjectNotFoundError, |
| 100 | 65 | self.key_mgr.get, self.ctxt, bad_key_uuid) |
| 101 | ||
| 102 | def test_store_null_context(self): | |
| 103 | key = test_key_manager._get_test_symmetric_key() | |
| 104 | ||
| 105 | self.assertRaises(exception.Forbidden, | |
| 106 | self.key_mgr.store, None, key) | |
| 107 | ||
| 108 | ||
| 109 | class VaultKeyManagerOSLOContextTestCase(VaultKeyManagerTestCase, | |
| 110 | base.BaseTestCase): | |
| 111 | def get_context(self): | |
| 112 | return context.get_admin_context() | |
| 113 | 66 | |
| 114 | 67 | |
| 115 | 68 | TEST_POLICY = ''' |
| 127 | 80 | APPROLE_ENDPOINT = 'v1/auth/approle/role/{role_name}' |
| 128 | 81 | |
| 129 | 82 | |
| 130 | class VaultKeyManagerAppRoleTestCase(VaultKeyManagerOSLOContextTestCase): | |
| 83 | class VaultKeyManagerAppRoleTestCase(VaultKeyManagerTestCase): | |
| 131 | 84 | |
| 132 | 85 | mountpoint = 'secret' |
| 133 | 86 | |